As an eduroam SP, you have a choice of not deploying a network-side proxy at all (pereferred!), or to deploy a transparent web content proxy. It is not acceptable and technically not possible to deploy a proxy that requires manual settings: doing so would require any incoming eduroam visitor to modify their device configutation with the manual proxy settings at hand.
Client devices can typically auto-detect proxy settings easily: the automatic WPAD discovery protocol allows the eduroam SP operator to point users to the proxy address if any, or to announce that no proxy is in use. eduroam installers configure client devices to look for such configuration information on the network.
As an eduroam SP, you shold always provide proxy configuration information, even if the information is limited to state “no proxy here”. You can do so either (preferably) in DHCP responses or in specially crafted DNS Resource Records in your domain.
Set up of networking equipment in the network core
Since an eduroam hotspot always uses the RADIUS protocol to connect to a RADIUS authentication server, your network setup must allow this RADIUS communication. This includes opening firewalls for traffic from the WLAN equipment (AP/Controller) to UDP port 1812 (do not confuse this with TCP!). The RADIUS protocol can easily create UDP fragments, and will not function fully without UDP fragmentation support. Be sure to check your equipment whether forwarding of UDP fragments is supported and allowed. For accounting the UDP port 1813 also needs to be opened.
If you deploy your own RADIUS server for eduroam SP purposes (see below), also make sure that its own uplinks to your National Roaming Operator are open in the same way.
Mor info on “how to configure” you can find on this address: https://confluence.terena.org/display/H2eduroam/eduroam+SP